7 HTTP session management

 

This chapter covers

  • Understanding HTTP cookies
  • Configuring HTTP sessions in Django
  • Choosing an HTTP session state persistence strategy
  • Preventing remote code execution attacks and replay attacks

In the previous chapter you learned about TLS. In this chapter you’ll build on top of that knowledge, literally. You’ll learn how HTTP sessions are implemented with cookies. You’ll also learn how to configure HTTP sessions in Django. Along the way I’ll show you how to safely implement session state persistence. Finally you’ll learn how to identify and resist remote code execution attacks and replay attacks.

7.1       What are HTTP sessions?

HTTP sessions are a necessity for all but the most trivial web applications. Web applications use HTTP sessions to isolate the traffic, context, and state of each user. This is the basis for every form of online transaction. If you’re buying something on Amazon, messaging someone on Facebook, or transferring money from your bank, the server must be able to identify you across multiple requests.

7.2       HTTP cookies

7.3       Session state persistence

7.3.1   The session serializer

7.3.2   Simple cache-based sessions

7.3.3   Write-through cache-based sessions

7.3.4   Database-based session engine

7.3.5   File-based session engine

7.3.6   Cookie-based session engine

7.4       Summary

sitemap